-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Robert Story wrote:
Exactly. The attackers do use EDNS0 [RFC2671], which allows clients to declare
the maximum size of UDP message they are willing to handle. So the spoofed
packet sets this value to whatever they want.
MS So, you can send a
--On den 8 mars 2006 14.58.20 -0500 gboyce [EMAIL PROTECTED] wrote:
On Wed, 8 Mar 2006, Security Lists wrote:
Sorry, I don't see this as amplification in your example, because YOUR
dns servers are 100% of the traffic. 1:1 ratio.
Once the first request to the nameservers is made, the
On Wed, 8 Mar 2006 15:55:21 -0700 Mark wrote:
MS Correct me if I'm wrong, but I was under the impression that DNS
MS responses that go over the max size of a UDP datagram won't get split
MS into multiple UDP datagrams. Rather, a response with only partial
MS data will be sent back, and the client
In the scenario you describe, I cannot see any actual amplification...
I'll give you a senario where you can see.
lets say you have 2 name servers that are local to you.
I setup a domain, example.com. In this domain I create a text record which is
100K in length, I don't know, perhaps I paste
Correct me if I'm wrong, but I was under the impression that DNS
responses that go over the max size of a UDP datagram won't get split
into multiple UDP datagrams. Rather, a response with only partial
data will be sent back, and the client has to reconnect over TCP to
get the full data.
RFC 2671
Sorry, I don't see this as amplification in your example, because YOUR
dns servers are 100% of the traffic. 1:1 ratio.
Now, if you get the world to cache your text records, and have THEM
flood with source-spoofed UDP (unrelated to the victim's DNS servers),
that'd work, and is actually a
On Wed, 8 Mar 2006, Security Lists wrote:
Sorry, I don't see this as amplification in your example, because YOUR dns
servers are 100% of the traffic. 1:1 ratio.
Once the first request to the nameservers is made, the object should be
cached by the nameservers. Instead of one packet to each